Sorry, that should say:
*Wednesday* (Feb 20) 3pm Pacific, 6pm Eastern, 23:00 UTC
Jonas Sicking wrote:
Hi All,
We didn't manage to finish the security review last week, so we're going
to continue tomorrow. The contact info is about the same as last week:
* Tuesday 3pm Pacific, 6pm Eastern, 20:00 UTC
* Mozilla Building S - Central Area
* 650-903-0800 or 650-215-1282 x91 Conf# 217 (US/INTL)
* 1-800-707-2533 (pin 369) Conf# 217 (US)
Background material here:
http://wiki.mozilla.org/User:Sicking/Cross_Site_XHR_Review
There were two big issues that came up during the last review:
Should we send cookies and auth headers for cross site requests:
For now we decided not to, but i'd like to bring this issue up in other
forums too, will do so here shortly. This issue will not be dealt with
tomorrow since it's simply to big to reach a conclusion.
Could DNS rebind attacks be made worse through the access-control spec:
The attack that was brought up was an attacker able to redirect any
given request to his own site. He could then redirect the OPTIONS
request to his own site but let the POSTs requests go through to the
targeted site and cause harm.
However, this is already possible today. If an attacker can redirect a
single request he could just redirect a request for a script or html
resource which would include scripts that could perform same-site
XMLHttpRequests which would have the same effect.
Anyone is invited to call in or come by.
Best Regards,
Jonas Sicking
